Summer 2017

The revised Information Security Policy (SPG 601.27) is in the final stages of the approval process. Once the policy is approved, it will replace the current version of the policy in the university's Standard Practice Guide (SPG).

The standards that support the revised policy are entering the final stage of their approval process as well. IA staff are finishing up revisions to incorporate additional feedback and expect to submit the final versions to Vice President for Information Technology and Chief Information Officer Kelli Trosvig for her approval and signature later this summer. Once signed, the standards will be published on the CIO website. In addition, there are plans to convene a multi-unit working group to review the standards on a periodic basis.

The new policy and standards will be implemented in a phased approach to give units a reasonable amount of time to learn about and comply with the recommendations and guidance.

In the meantime, web pages covering current IT policies have been reorganized to make existing policies and standards easier to find:

• Information Technology Policies. This page is now more concise, with links to policies moved to the top.
• General Information Technology Policies. Policies have been grouped by category (for example, privacy and data management).

The Enterprise Identity and Access Management (EIAM) program continues to make progress toward improving and simplifying how people obtain U-M accounts and access to U-M resources across the entire university. Project teams within the program are working on these efforts and more:

• Roles and access management. The program recently submitted a Request for Proposals (RFP) for a vendor to pilot an enterprise-level roles and access management solution. Three vendors will conduct demonstrations on the Ann Arbor campus in July, and the project team plans to identify pilot groups in August.
• Social login. Efforts are underway to explore a social login option with the Alumni Association and HathiTrust Digital Library. Social login products allow people to use a social media account, such as Facebook, to log in to another service or resource.
• Uniqnames. Team members are working with campus partners to analyze the future of uniqnames and make recommendations for meeting the requirements of a growing user base and changing technological expectations.

For more details on the progress of EIAM program projects, visit News & Updates on the program website for a list of current and past monthly status reports. To receive the monthly updates through email, join the EIAM Program Stakeholders group in MCommunity.

To support the proposed revision of the IT Security Policy, Information Assurance has published revised U-M Data Classification Levels on Safe Computing. The revised policy will be supported and supplemented by specific operational, procedural, and technical standards, many of which specify actions to take based on the classification level of the data involved. The new data classification levels replace ones that had been in place since 2008.

Two pages with examples of sensitive university data are also available:

• Examples of Sensitive Data by Classification Level. Lists common data types and their classification level.
• Examples of Sensitive Data by U-M Role. Lists roles at U-M and the sensitive data types most often associated with those roles.

These examples are not comprehensive. If you have questions about a particular data type and its classification, contact the ITS Service Center.

On June 8, we began protecting MWireless users from malicious websites through the use of Domain Name Service (DNS) redirection. Users of the MGuest network got this protection in May. The number of malicious sites blocked each day varies, with anywhere from 400 to 600 websites blocked on any particular day.

DNS redirection blocks connections to websites known to be malicious—websites that attempt to steal personal information or infect devices with malware—and redirects the user to a safe page with information about the blocking. DNS redirection does not collect information about users or the content of the sites they visit. Users who believe the destination site was blocked in error can report that using an online form. Details are on Safe Computing at Malicious-Website Blocking (DNS Redirection).

If you would like your unit's networks to protect users from malicious websites with DNS redirection, send a request to the ITS Service Center.

In addition to working directly with some units, we are working on plans to extend this protection to other networks on the Ann Arbor campus that use ITS DNS. This will likely include Eduroam and wired Ethernet connections in most U-M buildings associated with the Ann Arbor campus.

A new Google Chrome extension written by IA staff warns users if they go to a malicious website. In particular, it identifies phishing websites that mimic the U-M Weblogin page and sites identified by U-M IT security staff as significant threats targeting the U-M community.

We've tested the extension, and now we'd like your input. Would you try it out and consider installing it on university-managed devices in your unit? If you have suggestions or concerns, let us know so we can keep improving the extension. After you've had a chance to try it out and we've incorporated your feedback as needed, we'll announce the extension more broadly and encourage members of the university community to install it on their own devices.

Information about the Chrome extension, including a link to download it, is on Safe Computing: U-M Safe Computing Website Checker (Chrome Extension).

If you purchase software for university use, please be aware of Software Procurement and Licensing Compliance (SPG 601.03-03). This new policy, which took effect April 10, 2017, was developed by Procurement Services with input from Information Assurance, Office of the General Counsel, and others.

Under the new policy, university PCards or purchase orders can be used to purchase non-competitively bid software up to $5,000 and $10,000 respectively for academic, administrative, clinical, research, and teaching use without pre-approval.

The new policy benefits the university by:

• Empowering software purchases that need to be made quickly in support of teaching, research, and other U-M core missions.
• Allowing faculty, staff, and units to agree to click-through agreements.
• Removing software from the restricted commodities list.
• Reflecting current software purchasing model (cloud-based or instantly downloadable).
• Supporting effective software asset management by assisting departments, researchers, and faculty in procuring and managing software purchased.
• Articulating standards of ethical conduct concerning licensed and copyrighted software and helps ensure that U-M and its faculty and staff stay in legal compliance with licensing agreements.

Procurement Services is available to review and assist with interpretation of license language as needed and offers guidelines for purchasing software and electronic services. Check with your supervisor to see if any unit-specific implementation expectations apply to you.

The university recently signed an enterprise services agreement with Barracuda Networks for a new e-signature service called U-M SignNow (U-M SignNow project site). The agreement covers all campuses—UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine.

The U-M SignNow project team is recommending, at Important References for U-M SignNow, that faculty and staff who wish to use the new service with sensitive or regulated data contact their Security Unit Liaison (SUL) for guidance to ensure that their use complies with university, unit, and department policies and guidelines. Guidance is available in the Sensitive Data Guide to help you: Sensitive Data Guide: SignNow at U-M (E-Signature). If you have questions, you can direct them to the project team at [email protected] or to Bob Sabourin, project lead, at [email protected].

Units piloting the service include the Alumni Association, Athletics, College of Engineering, Conference and Event Services, Michigan Medicine, Shared Services Center, and UM-Flint. The project team expects about 50 users representing 5,000 document transactions during this pilot.

A second pilot this fall will increase participation to about 200 users representing 40,000 or more document transactions annually. The service will launch at full capacity in 2018 after both pilot phases have been successfully completed.

Make File Transfer Part of Offboarding
When U-M employees leave the university or transfer from one unit to another, it is important to consider transferring ownership of files and other digital resources needed for university business. See these resources for tips and information:

• Leaving U-M
• U-M Termination Checklist (download Excel file from U-M Human Resources)

What to Do If Something Is Missed
In cases where ownership of digital files and information is not transferred before an employee leaves the university, or when a U-M account holder becomes incapacitated or dies, there may be a compelling business or personal need for others to gain access.

Units can request access for U-M business reasons, and in rare cases, people with a personal relationship to the account holder may wish to request access to personal materials held in a U-M account. The university may provide such access where reasonable and appropriate in accordance with university policy. Guidance is available at Getting Access to Someone Else's Account.

Block out October 19 on your calendar and plan to attend SUMIT_2017 at Rackham Auditorium on the UM-Ann Arbor campus. The Security at University of Michigan IT (SUMIT) conference is an annual symposium designed to raise awareness and educate the community about important cyber security and privacy issues. IA hosts this free event every October during National Cyber Security Awareness Month, offering a rare opportunity to hear nationally recognized experts discuss the latest cyber security and privacy topics and trends.

Looking for local events or online webinars covering IT security and privacy topics at no charge? Check out the Safe Computing Events Calendar. And if you have a free educational event you'd like us to include, send it to [email protected].

Here’s How to Keep Russian Hackers from Attacking the 2018 Elections
The Washington Post, 6/21/17
U-M Professor J. Alex Halderman and Justin Talbot-Zor, an adviser to the National Election Defense Coalition, joined with more than 100 experts on election administration, computer science, and national security to lay out an "actionable plan for safeguarding the vote." The plan's supporters include Republicans and Democrats alike, and the plan's cost is relatively low. Read this article to learn how a U-M expert recommends securing U.S. elections.

How Privacy Became a Commodity for the Rich and Powerful
The New York Times Magazine, 5/9/17
According to this article, "Privacy costs often become clear only after they’ve already been paid." When we sign up for services that sound convenient, we may be surrendering privacy. It might seem like we surrender small amounts of information, but it all adds up. The article continues, ". . . our digital dossiers extend well beyond the individual pieces of information we know are online somewhere; they now include stuff about us that can be surmised only through studying our patterns of behavior." Learn more about privacy at U-M on Safe Computing.

Will you need to use two-factor authentication (Duo) while on a trip? Duo offers multiple options to meet your needs when traveling. You may be able to use your regular Duo two-factor option, although you might need to use alternative options depending on your travel plans.

Plan Ahead

• Plan your options. Refer to Handout: Traveling With Two-Factor (Duo), a one-page reference chart, to understand your options.
• Enroll additional devices. If possible, enroll at least one additional device in case your primary device is unavailable (lost, stolen, dead battery, and so on).
• International travel? Restrictions apply for some destinations. See Travel to Embargoed Countries (Two-Factor).

Consider Using Passcodes

• When your phone or tablet does not have a cellular or WiFi connection, use the Duo Mobile app to generate passcodes.
• Get passcodes via text message. You will still need a cell phone connection, but a text message will often get through even when you have spotty data coverage.

For more advice and links to helpful resources, refer to Traveling with Duo.

Printed brochures (4-1/4 X 3-1/2 inches) on a variety of IT security topics are available to you for distribution in your units.

Our newest brochure, Turn on Two-Factor for Weblogin (see PDF preview), encourages members of the university community to turn on two-factor for Weblogin. It explains what two-factor for Weblogin is, why people should use it, how to turn it on, and what to expect when it’s turned on.

• Request copies of the brochure for your unit by sending email to [email protected]. The brochures are available for U-M use at no charge.
• Visit IT Security Posters & Brochures to see all the available brochures, as well as printable IT security posters (8-1/2 by 11 inches; PDFs).